<?php

/**
 * php防止sql注入
 * by www.jbxue.com
 */
class sqlsafe {

    private $getfilter = "(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    private $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    private $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";

    /**
     * 构造函数
     */
    public function __construct() {
        foreach ($_GET as $key => $value) {
            $this->stopattack($key, $value, $this->getfilter);
        }
        foreach ($_POST as $key => $value) {
            $this->stopattack($key, $value, $this->postfilter);
        }
        foreach ($_COOKIE as $key => $value) {
            $this->stopattack($key, $value, $this->cookiefilter);
        }
    }

    /**
     * 参数检查并写日志
     */
    public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq) {
        if (is_array($StrFiltValue))
            $StrFiltValue = implode($StrFiltValue);
        if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltValue) == 1) {
            //$this->writeslog($_SERVER["REMOTE_ADDR"] . "    " . strftime("%Y-%m-%d %H:%M:%S") . "    " . $_SERVER["PHP_SELF"] . "    " . $_SERVER["REQUEST_METHOD"] . "    " . $StrFiltKey . "    " . $StrFiltValue);
            //showmsg('您提交的参数非法,系统已记录您的本次操作！', '', 0, 1);
            Header("HTTP/1.1 404 Not Found"); 
            die('error1111');
        }
    }

    /**
     * SQL注入日志
     */
    public function writeslog($log) {
        write_log('INFO', 'Index.php', '请求参数:'.$log, 'sql_', true);
//        $log_path = write_log() . 'logs' . DIRECTORY_SEPARATOR . 'sql_log.txt';
//        $ts = fopen($log_path, "a+");
//        fputs($ts, $log . "\r\n");
//        fclose($ts);
    }

}

?>